As more and more computers, and other computing devices, are inter-connected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all of these attacks will be generally referred to hereafter as computer exploits, or more simply, exploits.
When a computer system is attacked or “infected” by a computer exploit, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer exploits is that an infected computer system is used to infect other computers.
FIG. 1 is a pictorial diagram illustrating an exemplary networked environment 100 over which a computer exploit is commonly distributed. As shown in FIG. 1, the typical exemplary networked environment 100 includes a plurality of computers 102-108 all inter-connected via a communication network 110, such as an intranet or via a larger communication network including the global TCP/IP network commonly referred to as the Internet. For whatever reason, a malicious party on a computer connected to the network 110, such as computer 102, develops a computer exploit 112 and releases it on the network. The released computer exploit 112 is received by, and infects, one or more computers, such as computer 104, as indicated by arrow 114. As is typical with many computer exploits, once infected, computer 104 is used to infect other computers, such as computer 106 as indicated by arrow 116, which in turn infects yet other computers, such as computer 108 as indicated by arrow 118. Clearly, due to the speed and reach of the modern computer networks, a computer exploit 112 can “grow” at an exponential rate, and quickly become a local epidemic that quickly escalates into a global computer pandemic.
A traditional defense against computer exploits, and particularly computer viruses and worms, is anti-virus software. Generally, anti-virus software scans incoming data, arriving over a network, looking for identifiable patterns associated with known computer exploits. Upon detecting a pattern associated with a known computer exploit, the anti-virus software may respond by removing the computer virus from the infected data, quarantining the data, or deleting the “infected” incoming data. Unfortunately, anti-virus software typically works with “known,” identifiable computer exploits. Frequently, this is done by matching patterns within the data to what is referred to as a “signature” of the exploit. One of the core deficiencies in this exploit detection model is that an unknown computer exploit may propagate unchecked in a network until a computer's anti-virus software is updated to identify and respond to the new computer exploit.
As anti-virus software has become more sophisticated and efficient at recognizing thousands of known computer exploits, so too have computer exploits become more sophisticated. For example, many recent computer exploits are now polymorphic, or in other words, have no identifiable pattern or “signature” by which they can be recognized by anti-virus software in transit. These polymorphic exploits are frequently unrecognizable by anti-virus software because they modify themselves before propagating to another computer system.
Another defense that is common today in protecting against computer exploits is a hardware or software network firewall. As those skilled in the art will recognize, a firewall is a security system that protects an internal network from unauthorized access originating from external networks by controlling the flow of information between the internal network and the external networks. All communications originating outside of the firewall are first sent to a proxy that examines the communication, and determines whether it is safe or permissible to forward the communication to the intended target. Unfortunately, properly configuring a firewall so that permissible network activities are uninhibited and that impermissible network activities are denied is a sophisticated and complicated task. In addition to being technically complex, a firewall configuration is difficult to manage. When firewalls are improperly configured, permissible network traffic may be inadvertently shut down and impermissible network traffic may be allowed through, compromising the internal network. For this reason, changes to firewalls are generally made infrequently, and only by those well versed in the subject of technical network design.
As yet a further limitation of firewalls, while a firewall protects an internal network, it does not provide any protection for specific computers. In other words, a firewall does not adapt itself to a specific computer's needs. Instead, even if a firewall is used to protect a single computer, it still protects that computer according to the firewall's configuration, not according to the single computer's configuration.
Yet another issue related to firewalls is that they do not provide protection from computer exploits originating within the borders established by a firewall. In other words, once an exploit is able to penetrate the network protected by a firewall, the exploit is uninhibited by the firewall. This situation frequently arises when an employee takes a portable computer home (i.e., outside of the corporate firewall protection) and uses it at home in a less secured environment. Unknown to the employee, the portable computer is then infected. When the portable computer is reconnected to the corporate network within the protection of the firewall, the exploit is often free to infect other computers unchecked by the firewall. Similarly, when a person, unknowingly or otherwise, brings in media infected with a computer exploit, such as on a CD-ROM, a floppy disk, a flash memory storage device, or the like, and reads or executes information stored on the media using a computer within the protective borders of the firewall, that computer and the corporate network is again exposed and at risk, unprotected by the firewall.
With regard to the problem of connecting, or reconnecting, a portable computer potentially infected by a computer exploit to a network, one solution has been to place the added computer in a quarantined virtual local area network (referred to as VLAN) within the network. VLANs, as are known in the art, are logical sub-networks that may be established within an actual network irrespective of the actual, physical configuration of the network. A network administrator controls the ability of computers within one VLAN to communicate with other devices outside of the VLAN in the network, such as with computers and devices in other VLANs. Thus, the quarantined VLAN is configured to disallow computers within the quarantined VLAN to communicate with any other devices and/or computers outside of the quarantined VLAN, with very limited exceptions. Only after the added computer is certified as being free of computer exploits is the added computer admitted to other “regular” VLANs in the network. Unfortunately, while this practice may protect the network from any computer exploits found on the added computer, there are potentially serious consequences.
One consequence of quarantining an added computer to a quarantined VLAN is that the added computer is exposed to any computer exploit circulating within the quarantined VLAN. Thus, while the added computer may be free of all computer exploits prior to being quarantined, when placed in the quarantined VLAN there is a substantial risk that it will be infected by computer exploits on other computers also quarantined to the quarantined VLAN. As another consequence, if the added computer is infected with a computer exploit, when the added computer is placed in the quarantined VLAN the other computers within the quarantine are exposed to the computer exploits infecting the added computer. In short, while the network as a whole may be protected, the likelihood of a computer placed in the quarantined VLAN being infected by a computer exploit is substantially increased.
As mentioned above, computer exploits now leverage legitimate computer system features in an attack. Thus, many parties other than firewall and anti-virus software providers must now join in defending computers from these computer exploits. For example, operating system providers must now, for economic and contractual reasons, continually analyze their operating systems to identify weaknesses or vulnerabilities that may be used by a computer exploit. For purposes of the present discussion, any avenue by which a computer exploit may attack a computer system will be generally referred to as a computer system vulnerability, or simply a vulnerability.
As vulnerabilities are identified and addressed in an operating system, or in other computer system components, drivers, and/or applications, a provider will typically release a software update to remedy and address the vulnerability. These updates, frequently referred to as patches, are intended to be installed on a computer system in order to secure the computer system from the identified vulnerabilities. However, these updates are, in essence, code changes to components of the operating system, device drivers, or software applications, etc. As such, they cannot be released as rapidly and freely as anti-virus updates from anti-virus software providers. Because these updates are code changes, the software updates require substantial in-house testing prior to being released to the public. Unfortunately, even with in-house testing, a software update may cause one or more other computer system features to break or malfunction. Thus, software updates create a huge dilemma to parties that rely upon certain aspects of a computer system, especially if it may affect critical features of the computer system. More specifically, does a party update its computer systems to protect them from the vulnerability and risk disrupting their computer systems' operations, or does the party refrain from updating its computer systems and run the risk that its computer systems may be infected?
One novel approach to protecting network devices, including personal computers, personal digital assistants (PDAs), mobile communication devices, and the like, is to place a network security module between the network and the network device such that all communication to and from the network device must pass through the network security module. This novel approach is described in greater detail in commonly assigned, U.S. Provisional Patent Application No. 60/544,783, filed Feb. 13, 2004, entitled “System and Method for Securing a Computer System Connected to a Network from Attacks,” and is incorporated in its entirety herein by reference.
According to this incorporated system and method, each network security module implements, or enforces, security measures corresponding to the protected network device's specific configuration and also to currently identified computer system vulnerabilities. The network security modules obtain the security measures from a security service, either from a global security service or through a hierarchical organization of security services, called federated security services. Implementing or enforcing security measures implies exercising control over various aspects of network activities to and from the protected network device. Examples of the security measures include: blocking all network communications to and from a protected network device except communications between the protected network device and trusted network locations, such as security services or anti-virus software services; blocking network traffic on certain communication ports and addresses; blocking communications to and/or from certain network-related applications, such as an e-mail or Web browser application; and blocking access to particular hardware or software components on the protected network device.
In operation, a network security module is typically configured to periodically query or poll a security service for the current security measures. Thus, when a computer exploit is detected on the network, or if an operating system provider detects a vulnerability in its system, the operating system provider provides security measures to counter the vulnerability/exploit to the security services. These updated security measures are then obtained by the network security modules as they periodically poll the security service. Once obtained, the updated/current security measures are implemented/enforced by the network security module, thereby insulating the protected network device from the detected computer exploit or vulnerability.
Until a computer exploit is better understood, initial security measures may include blocking all network activities to and from the protected network device. However, once the computer exploit is better understood, a less stringent set of security measures may be used to permit some network activity, yet maintain adequate protection from the vulnerability. Further on, once a software update or an anti-virus update has been developed and subsequently installed on the protected network device, a new set of security measures may be obtained permitting “normal” network activity to resume, this new set reflecting the fact that the protected network device is no longer vulnerable due to the installation of the software or anti-virus update.
While the above-incorporated system addresses how to protect network devices from computer exploits, a real possibility exists that when a particularly virulent computer exploit is detected, all network activities on all network devices within a network will be blocked, including communications between computers carrying out business-critical operations. For example, assume a business-critical application runs on an application server, and relies upon obtaining information stored on a database server elsewhere in the computer network. Blocking all network activities would necessarily mean that the application server would not be able to obtain information from the database server, thereby bringing the business-critical application to a halt.
One solution, described in greater detail in commonly assigned, U.S. Provisional Patent Application No. 60/544,772, filed Feb. 13, 2004, entitled “System and Method for Protecting a Computing Device From Computer Exploits Delivered Over a Networked Environment in a Secured Communication,” is to use an override to a network security module, thereby bypassing the security measures designed to protect the network device. However, in many situations, including most business environments, it is not desirable for a network security module to include an override. Most system administrators would prefer to determine which, if any, computers should be able to override protective security measures.
In light of the above-described problems, what is needed is a system and method for enabling specific network devices within a VLAN to communicate while communication activity over the network is restricted due to security threats. These, and other issues found in the prior art, are addressed by the present invention.